Symantec Access Management

 View Only
  • 1.  SiteMinder send multiple "Audience" values in SAML assertion

    Posted Jul 26, 2017 03:19 PM

    Hello,

     

    In this scenario, our SiteMinder is the SAML IDP and we have three separate SAML SSO configuration/setup with a single SAML SP partner.  The SAML SP partner has one single SAML ACS, but we are setting up three separate SAML IDP to connect to this SP partner.

     

    On our SiteMinder IDP side, we configured three unique SAML SP entity ID.  The problem we run into is that our SAML SP partner requires that the value of the "audience" to match with the SP ACS.  From our SiteMinder IDP, we configure the "Audience" field with the value of the SAML SP ACS, but the "SP entity ID" value will also become an additional "audience" value and therefore the SAML assertion will have two "audience" values.

     

    </ns2:Subject>     <ns2:Conditions NotBefore="2017-07-26T19:01:08Z"                    NotOnOrAfter="2017-07-26T19:03:08Z">                <ns2:AudienceRestriction>                <ns2:Audience>[this-value-came-from-the-"Audience" field</ns2:Audience>                </ns2:AudienceRestriction>                <ns2:AudienceRestriction>                <ns2:Audience>[This-value-came-from-the-"SP Entity ID" field</ns2:Audience>                </ns2:AudienceRestriction>                </ns2:Conditions>

    Is there a way to tell SiteMinder to NOT send the value of the "SP Entity ID" as an "audience" value in the SAML assertion "Audience Restriction" element?



  • 2.  Re: SiteMinder send multiple "Audience" values in SAML assertion
    Best Answer

    Broadcom Employee
    Posted Jul 31, 2017 01:41 PM

    No, this is not possible.  The SAML standard dictates that an IDP must include the SPID as the value of the Audience element.  The SAML standard also states that when multiple Audience elements are included in an assertion, the relying party MUST evaluate each value, so any software that cannot handle multiple Audience elements is not fully SAML compliant.

     

    From the Oasis document:
    "The audience restriction condition evaluates to Valid if and only if the SAML relying party is a member of one or more of the audiences specified."

     

    "Note that multiple elements MAY be included in a single assertion, and each MUST be evaluated independently."

     

    Regards,

    Pete



  • 3.  Re: SiteMinder send multiple "Audience" values in SAML assertion

    Posted Jul 31, 2017 02:20 PM

    Hi Pete,

     

    Thank you so much for this information.



  • 4.  RE: Re: SiteMinder send multiple "Audience" values in SAML assertion

    Posted Jan 15, 2020 11:23 AM
    Hi Peter,

    There is a problem with Siteminder regarding what stated here.
    When the SPID is provided in the "Audiences" field while configuring the IDP, Siteminder does not actually interpret it as MULTIPLE AUDIENCES, but instead, it is interpreted as MULTIPLE AUDIENCE RESTRICTIONS which makes a huge difference since the same OASIS Document says:

    "Note that multiple <AudienceRestriction> elements MAY be included in a single assertion, and each MUST be evaluated independently. The effect of this requirement and the preceding definition is that within a given <AudienceRestrictions>, the <Audience> elements form a disjunction (an "OR") while multiple <AudienceRestrictions> elements form a conjunction (an "AND")"

    The actual behavior of Siteminder (12.8.02) is as follow:
    </ns2:Subject><ns2:Conditions NotBefore="2017-07-26T19:01:08Z" NotOnOrAfter="2017-07-26T19:03:08Z">
          <ns2:AudienceRestriction>
              <ns2:AudienceRestriction> <ns2:Audience>[This-value-came-from-the-"SP Entity ID" field</ns2:Audience>
         </ns2:AudienceRestriction>
         <ns2:AudienceRestriction>
              <ns2:Audience>[this-value-came-from-the-"Audiences" field from IDP Partnership</ns2:Audience>
         </ns2:AudienceRestriction>
    </ns2:Conditions>

    Is there any way to achieve the following behavior? Which in my opinion should be the correct one:
    </ns2:Subject><ns2:Conditions NotBefore="2017-07-26T19:01:08Z" NotOnOrAfter="2017-07-26T19:03:08Z">
          <ns2:AudienceRestriction>
              <ns2:Audience>[This-value-came-from-the-"SP Entity ID" field</ns2:Audience>
              <ns2:Audience>[this-value-came-from-the-"Audiences" field from IDP Partnership</ns2:Audience>
         </ns2:AudienceRestriction>
    </ns2:Conditions>


  • 5.  Re: SiteMinder send multiple "Audience" values in SAML assertion

    Posted Aug 01, 2017 09:30 AM

    Hi,

     

    As per the SAML Spec, The audience restriction condition evaluates to Valid if and only if the SAML relying party is a member of one or more of the audiences specified. Hence it is mandatory to have SPID as an audience value.

    Please refer below link for more details(page#23).
    https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

     

    Thanks,
    Sharan